We are on-prem.
When adding a new group user — just one user in a group, not an entire group — we specify the domain and then enter the user’s name. Behind the scenes the AD accounts are checked and the user is added. However, many of our users - especially those in the RPA COE and and the IT teams that support us - have TWO AD accounts in our directory. One is their standard AD account - the the one they use every day - for example, and Employee named Peter Parker would be EUR\PARKERP if he is in France. The second AD account that these users have are admin accounts - used only when they need to maintain something that requires admin access. If Peter Parker has an admin account too, it is configured like this: EUR\a_PARKERP.
If we add Mr. Parker as a group user, the AD account that is retrieved is the a_PARKERP account - most likely because it is first in the list when his name is queried.
However, he is not using that AD account 99% of the time and thus he cannot sign on using SSO to the Orchestrator.
When there is more than one AD account for the same name we need to be presented a list to CHOOSE the correct one.